wuaudit.exe virus

system · September 29, 2013, 12:42pm

Hello everyone, I need some help to remove a trojan that is detected with avast. It is detected as wuaudit.exe virus. I run all the software described in http://forum.avast.com/index.php?topic=53253.0 but it is still there.

I do not know what else to do and I loosing my patience with this Trojan.
Please, can someone help me?

Here are the LOGs

Thanks

Eddy · September 29, 2013, 12:47pm

Run a bootscan with avast and run Malwarebytes. That should take care of the problem.

And please search this webboard before posting.
http://forum.avast.com/index.php?topic=130078.0

magna86 · September 29, 2013, 12:54pm

@gallegoj

I will look at your logs.

This fix shall fix your problem:
Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.


:FILES
ipconfig /flushdns /c
C:\Users\Jonathan\AppData\Local\Temp\tsiVi032.dll
C:\Users\Jonathan\AppData\Local\Temp\iswizard
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\agoenciogemlojlhccbcpcfflicgnaak
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\chmimgmjdabgiilljdjfbonifbhiglao
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\eimhlfnbjllicocigjdalpodkokffbmm
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejjicmeblgpmajnghnpcppodonldlgfn
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\enadeelnincmhhilgbiphjbjnnagnhmh
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fbpifhknilaflibiifjhhofddbbchmhh
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\flogpfmjdekjoilcnmmchanikomlidie
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdbabpaggdgcakhjllleobffeghmhjme
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdbabpaggdgcakhjllleobffeghmhjme
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gdkjifoifglkpcdffkenpinlbjgephlo
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gmbgaklkmjakoegficnlkhebmhkjfich
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ijecamokjmiajijbajfnlbkfknpplkdf
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kfdckejfnkaemompfjhecfmhjgnchmjg
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lgdfnbpkmkkdhgidgcpdkgpdlfjcgnnh
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\loamdenijebhollnjgehcfbnpeelfhlk
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mjocghlclkpgheifflemilcnblodjohg
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\okboeogmnhjpgbeaokfogelclpblaemo
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooagbcohbmlpkfkdnodbomgphbcecalj
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ooagbcohbmlpkfkdnodbomgphbcecalj
C:\Users\Jonathan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia

:OTL
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O4 - HKU\S-1-5-21-1365072474-943141896-2643588273-1000..\Run: [tsiVideo] C:\Users\Jonathan\AppData\Local\Temp\tsiVi032.dll ()

:COMMANDS
[CREATERESTOREPOINT]
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

---- Next -----

aswMBR shows traces of posible TDL rootkit. We shall re-check that.

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it, accept all pop-up on start.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

system · September 29, 2013, 11:28pm

@Eddy: Thanks for your advice. I run a bootscan with avast and run Malwarebytes but the threat was still there. I read the other posts before creating this one and they always suggest to start a new post. that is why I opened a new post

@magna86: I run OTL with the script you gave me and also I run the TDSSkiller. the TDSSkiller didn’t find anything.
I am sending the two logs. It seems the problem is solved until now.

should I check something more? should I delete any of the software I’ve installed?

Thanks,

gallegoj

Pondus · September 30, 2013, 12:38am

should I check something more? should I delete any of the software I've installed?

magna86 is in bed now, check back tomorrow ;)

magna86 · September 30, 2013, 10:02am

I shall need both OTL and TDSSK logs. Please post them here.

system · September 30, 2013, 1:02pm

Hi,

I forgot to attach the logs in the last reply, sorry for that.

magna86 · September 30, 2013, 1:59pm

Let’s check with TDSSKiller a little deeper.

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to:
- Verify Driver Digital Signature;
- Detect TDLFS file system
- Use KSN to scan objects
[*]Click OK, and then click Start Scan button.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

==========================

How’s youir computer running now?

system · October 1, 2013, 2:00am

Hi Magna,

Sorry for answering late, but it is difficult for me to get access to my laptop during working time.
I run the TDSSkiller again with the parameters that you suggested. It didn’t detect any threat. I am attaching the LOG.

magna86 · October 1, 2013, 8:58am

That’s it.

Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

wuaudit.exe virus

Announcements